rfc-lookup
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
npx -yto download the@mjpitz/mcp-rfcpackage from the npm registry at runtime during the execution of RFC lookup commands. - [REMOTE_CODE_EXECUTION]: The skill executes code from a third-party package (
@mjpitz/mcp-rfc) that is not listed as a trusted vendor. This execution occurs vianpxwhen the agent attempts to fetch or search for RFCs. - [COMMAND_EXECUTION]: The skill invokes shell commands using
python3 $MCP_CALLto bridge communication with the RFC MCP server, providing a local execution path for the downloaded package. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection by ingesting document content from the external IETF RFC registry.
- Ingestion points: Full RFC text and specific sections are retrieved via
get_rfcandget_rfc_sectioncalls withinSKILL.md. - Boundary markers: The instructions do not define delimiters or special tokens to separate RFC content from the agent's internal system instructions.
- Capability inventory: The skill allows the execution of system commands through the
$MCP_CALLenvironment variable andnpx. - Sanitization: There is no evidence of sanitization or filtering of the RFC content before it is processed by the agent.
Audit Metadata